# SARE Header Abuse Ruleset for SpamAssassin -- file 2
# Version:  01.03.21
# Created:  2004-04-25
# Modified: 2006-05-21
# Usage instructions and documentation in 70_sare_header0.cf 

# Full Revision History / Change Log in 70_sare_header.log
#@@# 01.03.20  May 20 2005 
#@@#           Minor score updates based on additional mass-check
#@@#           Modified "rule has been moved" meta flags 
#@@#           Moved file 0 to file 2           SARE_BOUNDARY_02
#@@#           Moved file 0 to file 2           SARE_BOUNDARY_ANYDIG
#@@#           Moved file 0 to file 2           SARE_BOUNDARY_D11
#@@#           Moved file 0 to file 2           SARE_FROM_SPAM_NAME2
#@@#           Moved file 0 to file 2           SARE_FROM_WSJ
#@@#           Moved file 0 to file 2           SARE_HEAD_BDY_BOUNCES %%% OR ARCHIVE
#@@#           Moved file 0 to file 2           SARE_HEAD_HDR_CONVER
#@@#           Moved file 0 to file 2           SARE_HEAD_HDR_NLETRID
#@@#           Moved file 0 to file 2           SARE_HEAD_HDR_PID
#@@#           Moved file 0 to file 2           SARE_HEAD_HDR_XBNCETR
#@@#           Moved file 0 to file 2           SARE_HEAD_HDR_XGMAILA
#@@#           Moved file 0 to file 2           SARE_HEAD_HDR_XIDSRVR
#@@#           Moved file 0 to file 2           SARE_HEAD_THRD_ALNUM
#@@#           Moved file 0 to file 2           SARE_HEAD_XM4
#@@#           Moved file 0 to file 2           SARE_HEAD_XMF_AUTHSNDR
#@@#           Moved file 0 to file 2           SARE_HELO_MAILUSER
#@@#           Moved file 0 to file 2           SARE_MSGID_HEX30
#@@#           Moved file 0 to file 2           SARE_MULT_SEXCLUB
#@@#           Moved file 0 to file 2           SARE_MULT_SUBJ
#@@#           Moved file 0 to file 2           SARE_RECV_IP_004078
#@@#           Moved file 0 to file 2           SARE_RECV_IP_038112147
#@@#           Moved file 0 to file 2           SARE_RECV_IP_064192082
#@@#           Moved file 0 to file 2           SARE_RECV_IP_066063
#@@#           Moved file 0 to file 2           SARE_RECV_IP_066114a
#@@#           Moved file 0 to file 2           SARE_RECV_IP_066159017
#@@#           Moved file 0 to file 2           SARE_RECV_IP_069060122
#@@#           Moved file 0 to file 2           SARE_RECV_IP_070096177
#@@#           Moved file 0 to file 2           SARE_RECV_IP_207182
#@@#           Moved file 0 to file 2           SARE_RECV_IP_208048182
#@@#           Moved file 0 to file 2           SARE_RECV_IP_216055133
#@@#           Moved file 0 to file 2           SARE_RECV_LOCALHOST
#@@#           Moved file 0 to file 2           SARE_RECV_SUSP_2
#@@#           Moved file 0 to file 2           SARE_RECV_TRADVALUES
#@@#           Moved file 0 to file 2           SARE_RECV_VIPLIST
#@@#           Moved file 0 to file 2           SARE_RECV_XACTRIX
#@@#           Moved file 0 to file 2           SARE_REPLY_XACTRIX
#@@#           Moved file 0 to file 2           SARE_XMAIL_DIRUNIV
#@@#           Moved file 0 to file 2           SARE_XMAIL_INTERMED
#@@#           Moved file 0 to file 2           SARE_XMAIL_LEO
#@@#           Moved file 0 to file 2           SARE_XMAIL_PHPBulkEmai
#@@#           Moved file 0 to file 3           SARE_RECV_ADDR5
#@@#           Moved file 1 to file 2           SARE_HEAD_DATE_RNDDATE
#@@#           Moved file 1 to file 2           SARE_HEAD_HDR_MSGTYPE
#@@#           Moved file 1 to file 2           SARE_HEAD_HDR_X400RCV
#@@#           Moved file 1 to file 2           SARE_HEAD_HDR_XCNDINF
#@@#           Moved file 1 to file 2           SARE_HEAD_HDR_XRIPE
#@@#           Moved file 1 to file 2           SARE_HEAD_HDR_XSAFMMI
#@@#           Moved file 1 to file 2           SARE_RECV_IP_062023
#@@#           Moved file 1 to file 2           SARE_RECV_IP_065205157
#@@#           Moved file 1 to file 2           SARE_RECV_IP_066248154
#@@#           Moved file 1 to file 2           SARE_RECV_IP_206248152
#@@#           Moved file 1 to file 2           SARE_RECV_RND_DATE
#@@#           Moved file 1 to file 2           SARE_XMAIL_GDI
#@@#           Moved file 2 to file 0           SARE_HEAD_HDR_CONVWLS
#@@#           Moved file 2 to file 0           SARE_HEAD_SUBJ_RAND
#@@#           Moved file 2 to file 0           SARE_HEAD_XORIP_IP
#@@#           Moved file 2 to file 3           SARE_MULT_RATW_03
#@@#           Returned file 2 to file 0        SARE_HEAD_HDR_EPATH
#@@#           Returned file 2 to file 0        SARE_RECV_IP_063111025
#@@#           Returned file 2 to file 1        SARE_RECV_IP_142046
#@@# 01.03.21  May 21 2005 
#@@#           Minor repairs to "downgraded rule" metas. 

########  ######################   ##################################################
#    Meta rules used to prevent --lint errors after moving/changing rules
########  ######################   ##################################################

meta      __SARE_HEAD_FALSE        __FROM_AOL_COM && !__FROM_AOL_COM
meta      SARE_MULT_RATW_03        __SARE_HEAD_FALSE

########  ######################   ##################################################
#    Component rules used within meta rules 
########  ######################   ##################################################

header    __SARE_HEAD_8BIT_SUBJ    Subject =~ /[\x80-\xff]{3,}/

#####################################################################################
#         SARE Header-Exists rules
########  ######################   ##################################################

header    SARE_HEAD_HDR_CONVER     exists:Conversion
describe  SARE_HEAD_HDR_CONVER     Message headers used which identify spam
score     SARE_HEAD_HDR_CONVER     1.111 
#stype    SARE_HEAD_HDR_CONVER     spamp
#counts   SARE_HEAD_HDR_CONVER     0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_HEAD_HDR_CONVER     54s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
#counts   SARE_HEAD_HDR_CONVER     0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_CONVER     9s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_HEAD_HDR_CONVER     10s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_CONVER     0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
#max      SARE_HEAD_HDR_CONVER     5s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_HDR_CONVER     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_HEAD_HDR_CONVER     0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05

header    SARE_HEAD_HDR_JLH        exists:X-JLH
describe  SARE_HEAD_HDR_JLH        Message headers used which identify spam
score     SARE_HEAD_HDR_JLH        1.111
#stype    SARE_HEAD_HDR_JLH        spamp
#counts   SARE_HEAD_HDR_JLH        0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
#max      SARE_HEAD_HDR_JLH        71s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_HEAD_HDR_JLH        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_JLH        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_JLH        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_HEAD_HDR_JLH        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05

header    SARE_HEAD_HDR_MSGTYPE    exists:Message-Type
describe  SARE_HEAD_HDR_MSGTYPE    Message headers used which identify spam
score     SARE_HEAD_HDR_MSGTYPE    0.555
#stype    SARE_HEAD_HDR_MSGTYPE    spamp
#counts   SARE_HEAD_HDR_MSGTYPE    0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_HEAD_HDR_MSGTYPE    1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_MSGTYPE    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_MSGTYPE    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_MSGTYPE    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_MSGTYPE    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_NLETRID    exists:Newsletter-ID
describe  SARE_HEAD_HDR_NLETRID    Message headers used which identify spam
score     SARE_HEAD_HDR_NLETRID    1.666
#stype    SARE_HEAD_HDR_NLETRID    spamp
#counts   SARE_HEAD_HDR_NLETRID    0s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
#max      SARE_HEAD_HDR_NLETRID    173s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#counts   SARE_HEAD_HDR_NLETRID    0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_HEAD_HDR_NLETRID    1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_HEAD_HDR_NLETRID    28s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_HDR_NLETRID    0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_HDR_NLETRID    12s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_HDR_NLETRID    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_PID        exists:PID
describe  SARE_HEAD_HDR_PID        Message headers used which identify spam
score     SARE_HEAD_HDR_PID        1.666
#stype    SARE_HEAD_HDR_PID        spamp
#counts   SARE_HEAD_HDR_PID        0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_HEAD_HDR_PID        139s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#counts   SARE_HEAD_HDR_PID        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_PID        36s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_HDR_PID        0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#max      SARE_HEAD_HDR_PID        20s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_HDR_PID        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_REDIRTO    exists:Redirect-to
describe  SARE_HEAD_HDR_REDIRTO    Message headers used which identify spam
score     SARE_HEAD_HDR_REDIRTO    0.555
#stype    SARE_HEAD_HDR_REDIRTO    spamp
#counts   SARE_HEAD_HDR_REDIRTO    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_REDIRTO    1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05
#counts   SARE_HEAD_HDR_REDIRTO    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_REDIRTO    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_REDIRTO    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_REDIRTO    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_ROT        exists:Rot
describe  SARE_HEAD_HDR_ROT        Message headers used which identify spam
score     SARE_HEAD_HDR_ROT        0.555
#stype    SARE_HEAD_HDR_ROT        spamp
#counts   SARE_HEAD_HDR_ROT        0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_ROT        3s/0h of 114261 corpus (81069s/33192h RM) 01/15/05
#counts   SARE_HEAD_HDR_ROT        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_ROT        2s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_ROT        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_ROT        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_RTNPATH    exists:List-Return-Path
describe  SARE_HEAD_HDR_RTNPATH    Message headers used which identify spam
score     SARE_HEAD_HDR_RTNPATH    1.111
#stype    SARE_HEAD_HDR_RTNPATH    spamp
#counts   SARE_HEAD_HDR_RTNPATH    0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
#max      SARE_HEAD_HDR_RTNPATH    32s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_HEAD_HDR_RTNPATH    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_RTNPATH    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_RTNPATH    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_RTNPATH    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_WCMSGID    exists:WcMessage-ID
describe  SARE_HEAD_HDR_WCMSGID    Message headers used which identify spam
score     SARE_HEAD_HDR_WCMSGID    0.555
#stype    SARE_HEAD_HDR_WCMSGID    spamp
#counts   SARE_HEAD_HDR_WCMSGID    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_WCMSGID    1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_WCMSGID    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_WCMSGID    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_WCMSGID    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_WCMSGID    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_X400MTI    exists:X400-MTS-Identifier
describe  SARE_HEAD_HDR_X400MTI    Message headers used which identify spam
score     SARE_HEAD_HDR_X400MTI    0.555
#stype    SARE_HEAD_HDR_X400MTI    spamp
#counts   SARE_HEAD_HDR_X400MTI    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_X400MTI    1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05
#counts   SARE_HEAD_HDR_X400MTI    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_X400MTI    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_X400MTI    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_X400MTI    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_X400RCV    exists:X400-Received
describe  SARE_HEAD_HDR_X400RCV    Message headers used which identify spam
score     SARE_HEAD_HDR_X400RCV    0.555
#stype    SARE_HEAD_HDR_X400RCV    spamp
#counts   SARE_HEAD_HDR_X400RCV    0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_HEAD_HDR_X400RCV    1s/0h of 114261 corpus (81069s/33192h RM) 01/15/05
#counts   SARE_HEAD_HDR_X400RCV    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_X400RCV    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_X400RCV    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_X400RCV    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XAR        exists:X-AR
describe  SARE_HEAD_HDR_XAR        Message headers used which identify spam
score     SARE_HEAD_HDR_XAR        0.555
#stype    SARE_HEAD_HDR_XAR        spamp
#counts   SARE_HEAD_HDR_XAR        0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
#max      SARE_HEAD_HDR_XAR        2s/0h of 66087 corpus (40127s/25960h RM) 09/11/04
#counts   SARE_HEAD_HDR_XAR        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XAR        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XAR        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XAR        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XAUTGEN    exists:X-Auto-Generated
describe  SARE_HEAD_HDR_XAUTGEN    Message headers used which identify spam
score     SARE_HEAD_HDR_XAUTGEN    0.555
#stype    SARE_HEAD_HDR_XAUTGEN    spamp
#counts   SARE_HEAD_HDR_XAUTGEN    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_XAUTGEN    1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_XAUTGEN    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XAUTGEN    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XAUTGEN    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XAUTGEN    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XBNCETR    exists:X-BounceTrace
describe  SARE_HEAD_HDR_XBNCETR    Message headers used which identify spam
score     SARE_HEAD_HDR_XBNCETR    1.111
#stype    SARE_HEAD_HDR_XBNCETR    spamp
#counts   SARE_HEAD_HDR_XBNCETR    0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_HEAD_HDR_XBNCETR    96s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#counts   SARE_HEAD_HDR_XBNCETR    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XBNCETR    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XBNCETR    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XBNCETR    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XCNDINF    exists:X-CND-Info
describe  SARE_HEAD_HDR_XCNDINF    Message headers used which identify spam
score     SARE_HEAD_HDR_XCNDINF    0.555
#stype    SARE_HEAD_HDR_XCNDINF    spamp
#counts   SARE_HEAD_HDR_XCNDINF    0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_HEAD_HDR_XCNDINF    6s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XCNDINF    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XCNDINF    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XCNDINF    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XCNDINF    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XCROSS     exists:X-cross
describe  SARE_HEAD_HDR_XCROSS     Message headers used which identify spam
score     SARE_HEAD_HDR_XCROSS     0.100
#stype    SARE_HEAD_HDR_XCROSS     spamp
#counts   SARE_HEAD_HDR_XCROSS     0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XCROSS     0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XCROSS     0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XCROSS     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XCROSS     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XEMGBMS    exists:X-EMailGateBouncedMessage
describe  SARE_HEAD_HDR_XEMGBMS    Message headers used which identify spam
score     SARE_HEAD_HDR_XEMGBMS    0.555
#stype    SARE_HEAD_HDR_XEMGBMS    spamp
#counts   SARE_HEAD_HDR_XEMGBMS    0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
#max      SARE_HEAD_HDR_XEMGBMS    6s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#counts   SARE_HEAD_HDR_XEMGBMS    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XEMGBMS    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XEMGBMS    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XEMGBMS    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XGMAILA    exists:X-Gmail-Account
describe  SARE_HEAD_HDR_XGMAILA    Message headers used which identify spam
score     SARE_HEAD_HDR_XGMAILA    1.111
#stype    SARE_HEAD_HDR_XGMAILA    spamp
#counts   SARE_HEAD_HDR_XGMAILA    0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_HEAD_HDR_XGMAILA    20s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
#counts   SARE_HEAD_HDR_XGMAILA    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XGMAILA    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XGMAILA    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XGMAILA    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XIDSRVR    exists:X-Identity-Server
describe  SARE_HEAD_HDR_XIDSRVR    Message headers used which identify spam
score     SARE_HEAD_HDR_XIDSRVR    1.111
#stype    SARE_HEAD_HDR_XIDSRVR    spamp
#hist     SARE_HEAD_HDR_XIDSRVR    Bob Menschel, June 3 2005, idea by Alex Broens
#counts   SARE_HEAD_HDR_XIDSRVR    0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_HEAD_HDR_XIDSRVR    15s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_HDR_XIDSRVR    0s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
#counts   SARE_HEAD_HDR_XIDSRVR    0s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_HEAD_HDR_XIDSRVR    0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_HDR_XIDSRVR    0s/0h of 10590 corpus (5819s/4771h CT) 07/26/05

header    SARE_HEAD_HDR_XLC        exists:X-L-C
describe  SARE_HEAD_HDR_XLC        Message headers used which identify spam
score     SARE_HEAD_HDR_XLC        0.100
#stype    SARE_HEAD_HDR_XLC        spamp
#counts   SARE_HEAD_HDR_XLC        0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XLC        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XLC        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XLC        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XLC        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XLIDCOD    exists:X-LIDCode
describe  SARE_HEAD_HDR_XLIDCOD    Message headers used which identify spam
score     SARE_HEAD_HDR_XLIDCOD    0.100
#stype    SARE_HEAD_HDR_XLIDCOD    spamp
#counts   SARE_HEAD_HDR_XLIDCOD    0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XLIDCOD    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XLIDCOD    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XLIDCOD    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XLIDCOD    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XMISCID    exists:X-Misc_ID
describe  SARE_HEAD_HDR_XMISCID    Message headers used which identify spam
score     SARE_HEAD_HDR_XMISCID    0.100
#stype    SARE_HEAD_HDR_XMISCID    spamp
#hist     SARE_HEAD_HDR_XMISCID    FH_XMISCID
#counts   SARE_HEAD_HDR_XMISCID    0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XMISCID    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMISCID    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMISCID    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMISCID    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XMLCIPH    exists:X-mlcipher
describe  SARE_HEAD_HDR_XMLCIPH    Message headers used which identify spam
score     SARE_HEAD_HDR_XMLCIPH    0.100
#stype    SARE_HEAD_HDR_XMLCIPH    spamp
#counts   SARE_HEAD_HDR_XMLCIPH    0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XMLCIPH    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMLCIPH    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMLCIPH    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMLCIPH    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XMLMSGI    exists:X-mlmsgid
describe  SARE_HEAD_HDR_XMLMSGI    Message headers used which identify spam
score     SARE_HEAD_HDR_XMLMSGI    0.100
#stype    SARE_HEAD_HDR_XMLMSGI    spamp
#counts   SARE_HEAD_HDR_XMLMSGI    0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XMLMSGI    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMLMSGI    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMLMSGI    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMLMSGI    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XMAGDID    exists:X-magdalene-ID
describe  SARE_HEAD_HDR_XMAGDID    Message headers used which identify spam
score     SARE_HEAD_HDR_XMAGDID    0.555
#stype    SARE_HEAD_HDR_XMAGDID    spamp
#counts   SARE_HEAD_HDR_XMAGDID    0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04
#max      SARE_HEAD_HDR_XMAGDID    1s/0h of 60201 corpus (35226s/24975h RM) 08/14/04
#counts   SARE_HEAD_HDR_XMAGDID    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMAGDID    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMAGDID    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMAGDID    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XMPM       exists:X-mpm
describe  SARE_HEAD_HDR_XMPM       Message headers used which identify spam
score     SARE_HEAD_HDR_XMPM       0.100
#stype    SARE_HEAD_HDR_XMPM       spamp
#counts   SARE_HEAD_HDR_XMPM       0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XMPM       0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMPM       0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMPM       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMPM       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XMS        exists:X-ms
describe  SARE_HEAD_HDR_XMS        Message headers used which identify spam
score     SARE_HEAD_HDR_XMS        0.100
#stype    SARE_HEAD_HDR_XMS        spamp
#counts   SARE_HEAD_HDR_XMS        0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XMS        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XMS        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XMS        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XMS        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XNOSPAM    exists:X-No-Spam
describe  SARE_HEAD_HDR_XNOSPAM    Message headers used which identify spam
score     SARE_HEAD_HDR_XNOSPAM    1.111
#stype    SARE_HEAD_HDR_XNOSPAM    spamp
#counts   SARE_HEAD_HDR_XNOSPAM    0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
#max      SARE_HEAD_HDR_XNOSPAM    12s/0h of 60201 corpus (35226s/24975h RM) 08/14/04
#counts   SARE_HEAD_HDR_XNOSPAM    0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_HEAD_HDR_XNOSPAM    4s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XNOSPAM    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XNOSPAM    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XNOSPAM    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XNTC       exists:X-ntc
describe  SARE_HEAD_HDR_XNTC       Message headers used which identify spam
score     SARE_HEAD_HDR_XNTC       0.100
#stype    SARE_HEAD_HDR_XNTC       spamp
#counts   SARE_HEAD_HDR_XNTC       0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XNTC       0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XNTC       0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XNTC       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XNTC       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XPOPB4S    exists:X-Pop-Before-SMTP-Sender
describe  SARE_HEAD_HDR_XPOPB4S    Message headers used which identify spam
score     SARE_HEAD_HDR_XPOPB4S    0.555
#stype    SARE_HEAD_HDR_XPOPB4S    spamp
#counts   SARE_HEAD_HDR_XPOPB4S    0s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#max      SARE_HEAD_HDR_XPOPB4S    1s/0h of 60201 corpus (35226s/24975h RM) 08/14/04
#counts   SARE_HEAD_HDR_XPOPB4S    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XPOPB4S    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XPOPB4S    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XPOPB4S    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XPOPFLK    exists:X-POPFile-Link
describe  SARE_HEAD_HDR_XPOPFLK    Message headers used which identify spam
score     SARE_HEAD_HDR_XPOPFLK    0.555
#stype    SARE_HEAD_HDR_XPOPFLK    spamp
#counts   SARE_HEAD_HDR_XPOPFLK    0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04
#max      SARE_HEAD_HDR_XPOPFLK    3s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XPOPFLK    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XPOPFLK    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XPOPFLK    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XPOPFLK    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XPRIOMS    exists:X-Prioserve-MailScanner
describe  SARE_HEAD_HDR_XPRIOMS    Message headers used which identify spam
score     SARE_HEAD_HDR_XPRIOMS    0.555
#stype    SARE_HEAD_HDR_XPRIOMS    spamp
#counts   SARE_HEAD_HDR_XPRIOMS    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_XPRIOMS    1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_XPRIOMS    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XPRIOMS    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XPRIOMS    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XPRIOMS    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XPRIOMF    exists:X-Prioserve-MailScanner-From
describe  SARE_HEAD_HDR_XPRIOMF    Message headers used which identify spam
score     SARE_HEAD_HDR_XPRIOMF    0.555
#stype    SARE_HEAD_HDR_XPRIOMF    spamp
#counts   SARE_HEAD_HDR_XPRIOMF    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_XPRIOMF    1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_XPRIOMF    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XPRIOMF    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XPRIOMF    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XPRIOMF    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XPRIOMI    exists:X-Prioserve-MailScanner-Information
describe  SARE_HEAD_HDR_XPRIOMI    Message headers used which identify spam
score     SARE_HEAD_HDR_XPRIOMI    0.555
#stype    SARE_HEAD_HDR_XPRIOMI    spamp
#counts   SARE_HEAD_HDR_XPRIOMI    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_XPRIOMI    1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_XPRIOMI    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XPRIOMI    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XPRIOMI    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XPRIOMI    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XPIROMC    exists:X-Prioserve-MailScanner-SpamCheck
describe  SARE_HEAD_HDR_XPIROMC    Message headers used which identify spam
score     SARE_HEAD_HDR_XPIROMC    0.555
#stype    SARE_HEAD_HDR_XPIROMC    spamp
#counts   SARE_HEAD_HDR_XPIROMC    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_HDR_XPIROMC    1s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_HEAD_HDR_XPIROMC    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XPIROMC    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XPIROMC    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XPIROMC    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XRBLTST    exists:X-RBL-TST
describe  SARE_HEAD_HDR_XRBLTST    Message headers used which identify spam
score     SARE_HEAD_HDR_XRBLTST    0.555
#stype    SARE_HEAD_HDR_XRBLTST    spamp
#counts   SARE_HEAD_HDR_XRBLTST    0s/0h of 120459 corpus (71363s/49096h RM) 02/12/05
#max      SARE_HEAD_HDR_XRBLTST    2s/0h of 114238 corpus (81067s/33171h RM) 01/15/05
#counts   SARE_HEAD_HDR_XRBLTST    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XRBLTST    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XRBLTST    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XRBLTST    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XREC       exists:X-Rec
describe  SARE_HEAD_HDR_XREC       Message headers used which identify spam
score     SARE_HEAD_HDR_XREC       2.222
#stype    SARE_HEAD_HDR_XREC       spamp
#counts   SARE_HEAD_HDR_XREC       0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XREC       0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XREC       0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XREC       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XREC       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XRIPE      exists:X-RIPE
describe  SARE_HEAD_HDR_XRIPE      Message headers used which identify spam
score     SARE_HEAD_HDR_XRIPE      1.111
#stype    SARE_HEAD_HDR_XRIPE      spamp
#counts   SARE_HEAD_HDR_XRIPE      0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_HEAD_HDR_XRIPE      16s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_HEAD_HDR_XRIPE      0s/0h of 10995 corpus (6568s/4427h CT) 03/10/05
#counts   SARE_HEAD_HDR_XRIPE      0s/0h of 54806 corpus (17633s/37173h JH-3.01) 03/14/05
#counts   SARE_HEAD_HDR_XRIPE      0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
#counts   SARE_HEAD_HDR_XRIPE      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XRIPE      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XSAFMMI    exists:X-SafeMailer-MsgId
describe  SARE_HEAD_HDR_XSAFMMI    Message headers used which identify spam
score     SARE_HEAD_HDR_XSAFMMI    0.555
#stype    SARE_HEAD_HDR_XSAFMMI    spamp
#counts   SARE_HEAD_HDR_XSAFMMI    0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_HEAD_HDR_XSAFMMI    1s/0h of 114238 corpus (81067s/33171h RM) 01/15/05
#counts   SARE_HEAD_HDR_XSAFMMI    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XSAFMMI    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XSAFMMI    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XSAFMMI    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XSPAMSC    exists:X-Spam-Score
describe  SARE_HEAD_HDR_XSPAMSC    Message headers used which identify spam
score     SARE_HEAD_HDR_XSPAMSC    0.555 
#stype    SARE_HEAD_HDR_XSPAMSC    spamp
#counts   SARE_HEAD_HDR_XSPAMSC    0s/0h of 60201 corpus (35226s/24975h RM) 08/14/04
#counts   SARE_HEAD_HDR_XSPAMSC    0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_HEAD_HDR_XSPAMSC    1s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XSPAMSC    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XSPAMSC    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XSPAMSC    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XSRK       exists:X-srk
describe  SARE_HEAD_HDR_XSRK       Message headers used which identify spam
score     SARE_HEAD_HDR_XSRK       0.100
#stype    SARE_HEAD_HDR_XSRK       spamp
#counts   SARE_HEAD_HDR_XSRK       0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XSRK       0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XSRK       0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XSRK       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XSRK       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XSUBID     exists:X-SubID
describe  SARE_HEAD_HDR_XSUBID     Message headers used which identify spam
score     SARE_HEAD_HDR_XSUBID     0.555
#stype    SARE_HEAD_HDR_XSUBID     spamp
#counts   SARE_HEAD_HDR_XSUBID     0s/0h of 120459 corpus (71363s/49096h RM) 02/12/05
#max      SARE_HEAD_HDR_XSUBID     3s/0h of 114238 corpus (81067s/33171h RM) 01/15/05
#counts   SARE_HEAD_HDR_XSUBID     0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XSUBID     1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XSUBID     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XSUBID     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XTRANS     exists:X-Trans
describe  SARE_HEAD_HDR_XTRANS     Message headers used which identify spam
score     SARE_HEAD_HDR_XTRANS     0.100
#stype    SARE_HEAD_HDR_XTRANS     spamp
#counts   SARE_HEAD_HDR_XTRANS     0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XTRANS     0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XTRANS     0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XTRANS     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XTRANS     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XTXTCLS    exists:X-Text-Classification
describe  SARE_HEAD_HDR_XTXTCLS    Message headers used which identify spam
score     SARE_HEAD_HDR_XTXTCLS    0.555
#stype    SARE_HEAD_HDR_XTXTCLS    spamp
#counts   SARE_HEAD_HDR_XTXTCLS    0s/0h of 71334 corpus (43633s/27701h RM) 10/03/04
#max      SARE_HEAD_HDR_XTXTCLS    3s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XTXTCLS    0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XTXTCLS    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XTXTCLS    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XTXTCLS    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XVIG       exists:X-Vig
describe  SARE_HEAD_HDR_XVIG       Message headers used which identify spam
score     SARE_HEAD_HDR_XVIG       0.100
#stype    SARE_HEAD_HDR_XVIG       spamp
#counts   SARE_HEAD_HDR_XVIG       0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XVIG       0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XVIG       0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XVIG       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XVIG       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XYD        exists:X-yd
describe  SARE_HEAD_HDR_XYD        Message headers used which identify spam
score     SARE_HEAD_HDR_XYD        0.100
#stype    SARE_HEAD_HDR_XYD        spamp
#counts   SARE_HEAD_HDR_XYD        0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XYD        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XYD        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XYD        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XYD        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XI         exists:X-I
describe  SARE_HEAD_HDR_XI         Message headers used which identify spam
score     SARE_HEAD_HDR_XI         0.100
#stype    SARE_HEAD_HDR_XI         spamp
#counts   SARE_HEAD_HDR_XI         0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XI         0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XI         0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XI         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XI         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_HDR_XIM        exists:X-IM
describe  SARE_HEAD_HDR_XIM        Message headers used which identify spam
score     SARE_HEAD_HDR_XIM        0.100
#stype    SARE_HEAD_HDR_XIM        spamp
#counts   SARE_HEAD_HDR_XIM        0s/0h of 60624 corpus (35501s/25123h RM) 08/13/04
#counts   SARE_HEAD_HDR_XIM        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_HDR_XIM        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_HDR_XIM        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_HDR_XIM        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Content-Type and Boundary rules
########  ######################   ##################################################

header    SARE_BOUNDARY_01         Content-Type =~ /boundary==?\".{0,}XXXX-/
describe  SARE_BOUNDARY_01         Spam tool pattern in MIME boundary
score     SARE_BOUNDARY_01         0.100
#hist     SARE_BOUNDARY_01         L.MIME_BOUND_SIMPLE
#counts   SARE_BOUNDARY_01         0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
#counts   SARE_BOUNDARY_01         0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_BOUNDARY_01         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_BOUNDARY_01         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_BOUNDARY_02         Content-Type =~ /boundary\=('|\")?\~{10,}/
describe  SARE_BOUNDARY_02         Too many ~'s in the boundary.
score     SARE_BOUNDARY_02         0.650
#hist     SARE_BOUNDARY_02         MY_BOUNDARY2
#counts   SARE_BOUNDARY_02         0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_BOUNDARY_02         51s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#counts   SARE_BOUNDARY_02         0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_BOUNDARY_02         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_BOUNDARY_02         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_BOUNDARY_ANYDIG     Content-Type =~ /boundary="--.*\[\d\]/i
describe  SARE_BOUNDARY_ANYDIG     Content type boundary used in spam and viruses
score     SARE_BOUNDARY_ANYDIG     1.666
#hist     SARE_BOUNDARY_ANYDIG     Created by Bob Menschel May 7 2005, suggested by Alex Broens 
#counts   SARE_BOUNDARY_ANYDIG     0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_BOUNDARY_ANYDIG     282s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
#counts   SARE_BOUNDARY_ANYDIG     0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
#max      SARE_BOUNDARY_ANYDIG     3s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_BOUNDARY_ANYDIG     0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06
#max      SARE_BOUNDARY_ANYDIG     85s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
#counts   SARE_BOUNDARY_ANYDIG     2s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

header    SARE_BOUNDARY_D11        Content-Type =~ /boundary="\d{11}"/
describe  SARE_BOUNDARY_D11        Content type boundary used in spam or virus
score     SARE_BOUNDARY_D11        1.666
#stype    SARE_BOUNDARY_D11        spamp
#hist     SARE_BOUNDARY_D11        Created by Bob Menschel May 31 2004
#counts   SARE_BOUNDARY_D11        0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_BOUNDARY_D11        112s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_BOUNDARY_D11        3s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_BOUNDARY_D11        0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_BOUNDARY_D11        0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
#max      SARE_BOUNDARY_D11        7s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_BOUNDARY_D11        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

full      SARE_CONTENT_BITBITNUM   /\nContent-Encoding: BitBitNUM\n/
describe  SARE_CONTENT_BITBITNUM   Unlikely content encoding
score     SARE_CONTENT_BITBITNUM   1.406
#hist     SARE_CONTENT_BITBITNUM   Loren Wilton, Feb 1 2005
#counts   SARE_CONTENT_BITBITNUM   0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
#max      SARE_CONTENT_BITBITNUM   153s/0h of 95210 corpus (59682s/35528h RM) 02/01/05
#counts   SARE_CONTENT_BITBITNUM   64s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_CONTENT_BITBITNUM   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_CONTENT_BITBITNUM   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE From Rules 
########  ######################   ##################################################

header    SARE_FROM_AMERICA        From =~ /[^\-]\bamerica\.com\b/i
describe  SARE_FROM_AMERICA        From user address is used by spammer
score     SARE_FROM_AMERICA        1.111
#stype    SARE_FROM_AMERICA        spamp
#hist     SARE_FROM_AMERICA        Created by Bob Menschel Sep 24 2004
#counts   SARE_FROM_AMERICA        0s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
#max      SARE_FROM_AMERICA        5s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#counts   SARE_FROM_AMERICA        0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_FROM_AMERICA        0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_FROM_AMERICA        4s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_FROM_AMERICA        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_AMERICA        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FROM_SPAM_DOMN2     From =~ /\@wses\.(?:com|org)/i
describe  SARE_FROM_SPAM_DOMN2     From address suggests this is spam
score     SARE_FROM_SPAM_DOMN2     0.100
#stype    SARE_FROM_SPAM_DOMN2     spamp
#hist     SARE_FROM_SPAM_DOMN2     RM_fa_wses
#counts   SARE_FROM_SPAM_DOMN2     0s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
#counts   SARE_FROM_SPAM_DOMN2     0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_FROM_SPAM_DOMN2     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_SPAM_DOMN2     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FROM_SPAM_NAME2     From =~ /(?:Dating Tips|Email-Gallery|everyday-solution|Free Credit Report|FreebieFix|Long Distance|medmicro|Shape Solutions|TMobile Authorized Dealer|TheGolfWarehouses|Typing Teacher|Value Center|freePriority Shipping|koldny|propecia|thedailyfreesamples)/i
describe  SARE_FROM_SPAM_NAME2     From address suggests this is spam
score     SARE_FROM_SPAM_NAME2     1.666
#stype    SARE_FROM_SPAM_NAME2     spamp
#hist     SARE_FROM_SPAM_NAME2     COMBINED.FROM and other sources
#counts   SARE_FROM_SPAM_NAME2     0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_FROM_SPAM_NAME2     140s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_FROM_SPAM_NAME2     0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_FROM_SPAM_NAME2     1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_FROM_SPAM_NAME2     0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_FROM_SPAM_NAME2     16s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_FROM_SPAM_NAME2     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_SPAM_NAME2     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FROM_VIRUS1         ALL=~ /From:\ssupport\@microsoft.com/
describe  SARE_FROM_VIRUS1         From address suggests this is a virus
score     SARE_FROM_VIRUS1         3.333
#stype    SARE_FROM_VIRUS1         vbgg
#counts   SARE_FROM_VIRUS1         0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
#max      SARE_FROM_VIRUS1         21s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_FROM_VIRUS1         0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_FROM_VIRUS1         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FROM_VIRUS1         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __SARE_FROM_WSJ          From:name =~ /Wall Street (?:News Alert|Journal Online|Stock Wizard|Detective|Universe|Update|Chronicle)/i
meta      SARE_FROM_WSJ            __SARE_FROM_WSJ && __SARE_WHITELIST_FLAG && !USER_IN_WHITELIST 
score     SARE_FROM_WSJ            1.666
#hist     SARE_FROM_WSJ            Matt Yackley, Apr 15 2005, expanded by Bob Menschel
#hist     SARE_FROM_WSJ            Dec 24 2005: Added real WSJ whitelist entry to 70_sare_whitelist.cf; added whitelist flags to new meta to force this rule to NOT hit if this is actually the WSJ.
#counts   SARE_FROM_WSJ            0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_FROM_WSJ            86s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
#counts   SARE_FROM_WSJ            0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
#max      SARE_FROM_WSJ            2s/0h of 10590 corpus (5819s/4771h CT) 07/26/05
#counts   SARE_FROM_WSJ            0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06
#max      SARE_FROM_WSJ            11s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
#counts   SARE_FROM_WSJ            0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_FROM_WSJ            258s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_FROM_WSJ            0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

#####################################################################################
#         SARE From Rules -- Emails coming from free webmail accounts
#         Since spam from these can vary depending upon country of origin, 
#         country of destination, policies, and enforcement of policies, 
#         most of these are kept as separate rules rather than combined. 
########  ######################   ##################################################

header    SARE_FREE_WEBM_Iamfi     From =~ /\biamfinallyonline\.com/i
describe  SARE_FREE_WEBM_Iamfi     Sender used free email account - may be spammer
score     SARE_FREE_WEBM_Iamfi     0.555
#stype    SARE_FREE_WEBM_Iamfi     spamp
#hist     SARE_FREE_WEBM_Iamfi     Created by Bob Menschel Apr 09 2004
#counts   SARE_FREE_WEBM_Iamfi     0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_FREE_WEBM_Iamfi     3s/0h of 60630 corpus (35509s/25121h RM) 08/11/04
#counts   SARE_FREE_WEBM_Iamfi     0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_FREE_WEBM_Iamfi     0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_FREE_WEBM_Iamfi     1s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_FREE_WEBM_Iamfi     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_Iamfi     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_FREE_WEBM_USACOPS   From =~ /\@usacops\.com/i
describe  SARE_FREE_WEBM_USACOPS   Maybe spammer with free email
score     SARE_FREE_WEBM_USACOPS   0.555
#stype    SARE_FREE_WEBM_USACOPS   spamp
#hist     SARE_FREE_WEBM_USACOPS   Created by Bob Menschel Feb 24 2005
#counts   SARE_FREE_WEBM_USACOPS   0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_FREE_WEBM_USACOPS   2s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_FREE_WEBM_USACOPS   0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_FREE_WEBM_USACOPS   2s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_FREE_WEBM_USACOPS   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_FREE_WEBM_USACOPS   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Message-ID rules
########  ######################   ##################################################

header    SARE_MSGID_06D6          MESSAGEID =~ /<0{6}\d{6}\$\d/
describe  SARE_MSGID_06D6          Message-ID has ratware pattern (000009999$9)
score     SARE_MSGID_06D6          1.061
#counts   SARE_MSGID_06D6          0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
#max      SARE_MSGID_06D6          91s/0h of 115439 corpus (94250s/21189h RM) 04/30/04
#counts   SARE_MSGID_06D6          0s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
#counts   SARE_MSGID_06D6          0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_MSGID_06D6          0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_06D6          0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    MSGID_SPAM_CAPS          Message-ID =~ /^\s*<?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/
#hist     MSGID_SPAM_CAPS          Distrib: SA 2.64, 3.0.0
header    __SARE_MSGID_ALL_CAPHM   MESSAGEID =~ /<[A-Z]+\@hotmail.com>/  # no /i
meta      SARE_MSGID_ALL_CAPHM     __SARE_MSGID_ALL_CAPHM && !MSGID_SPAM_CAPS
describe  SARE_MSGID_ALL_CAPHM     Ratware all-caps message-id 
score     SARE_MSGID_ALL_CAPHM     1.666
#stype    SARE_MSGID_ALL_CAPHM     spamg
#hist     SARE_MSGID_ALL_CAPHM     Created by Bob Menschel May 15 2004
#note     SARE_MSGID_ALL_CAPHM     Most emails that match __SARE_MSGID_ALL_CAPHM fall into SARE_MSGID_ALL_CAPS
#counts   SARE_MSGID_ALL_CAPHM     0s/0h of 70566 corpus (43013s/27553h RM) 10/02/04
#max      SARE_MSGID_ALL_CAPHM     1s/0h of 69619 corpus (42582s/27037h RM) 09/26/04
#counts   SARE_MSGID_ALL_CAPHM     0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_MSGID_ALL_CAPHM     1s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_MSGID_ALL_CAPHM     0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_MSGID_ALL_CAPHM     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_ALL_CAPHM     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    MSGID_SPAM_CAPS          Message-ID =~ /^\s*<?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/
#hist     MSGID_SPAM_CAPS          Distrib: SA 2.64, 3.0.0
header    __SARE_MSGID_ALL_CAPMS   MESSAGEID =~ /<[A-Z]+\@msn.com>/  # no /i
meta      SARE_MSGID_ALL_CAPMS     __SARE_MSGID_ALL_CAPMS && !MSGID_SPAM_CAPS
describe  SARE_MSGID_ALL_CAPMS     Ratware all-caps message-id 
score     SARE_MSGID_ALL_CAPMS     1.666
#hist     SARE_MSGID_ALL_CAPMS     Created by Bob Menschel May 15 2004
#note     SARE_MSGID_ALL_CAPHM     Most emails that match __SARE_MSGID_ALL_CAPMS fall into SARE_MSGID_ALL_CAPS
#counts   SARE_MSGID_ALL_CAPMS     0s/0h of 58336 corpus (33608s/24728h RM) 08/07/04
#counts   SARE_MSGID_ALL_CAPMS     0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_MSGID_ALL_CAPMS     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_ALL_CAPMS     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_MSGID_H7H4H4        MESSAGEID =~ /<[a-z0-9]{7}(\$[a-z0-9]{4}){2}\@/
describe  SARE_MSGID_H7H4H4        Message-ID has ratware pattern (7hex$4hex$4hex@)
score     SARE_MSGID_H7H4H4        0.222
#counts   SARE_MSGID_H7H4H4        0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_MSGID_H7H4H4        2s/0h of 115439 corpus (94250s/21189h) 04/30/04
#counts   SARE_MSGID_H7H4H4        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_MSGID_H7H4H4        2s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
#counts   SARE_MSGID_H7H4H4        0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_MSGID_H7H4H4        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_H7H4H4        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_MSGID_HEX30         MESSAGEID =~ /<[A-Z0-9]{30}\$[0-9a-z]{9}\@/
describe  SARE_MSGID_HEX30         Message-ID has ratware pattern (HEXHEXHEX$9x9@)
score     SARE_MSGID_HEX30         1.666
#counts   SARE_MSGID_HEX30         0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_MSGID_HEX30         18s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#counts   SARE_MSGID_HEX30         0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_MSGID_HEX30         235s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_MSGID_HEX30         0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06
#max      SARE_MSGID_HEX30         2s/0h of 6924 corpus (1403s/5521h ft) 07/27/05
#counts   SARE_MSGID_HEX30         0s/0h of 38374 corpus (14893s/23481h JH-SA3.0rc1) 08/18/04
#counts   SARE_MSGID_HEX30         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05

header    SARE_MSGID_SPAM_DOMN0    MESSAGEID =~ /\bjeanvaljean\.com/i
describe  SARE_MSGID_SPAM_DOMN0    Message ID implies possible spammer relay
score     SARE_MSGID_SPAM_DOMN0    1.666
#stype    SARE_MSGID_SPAM_DOMN0    spamg
#hist     SARE_MSGID_SPAM_DOMN0    Created by Bob Menschel Mar 22 2004
#hist     SARE_MSGID_SPAM_DOMN0    Removed moosq.com, since now in specific.cf
#counts   SARE_MSGID_SPAM_DOMN0    0s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
#max      SARE_MSGID_SPAM_DOMN0    1s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#counts   SARE_MSGID_SPAM_DOMN0    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_MSGID_SPAM_DOMN0    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_SPAM_DOMN0    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    MSGID_SPAM_ALPHA_NUM     MESSAGEID =~ /<[A-Z]{7}-000[0-9]{10}\@[a-z]*>/
header    __SARE_RECV_LOCALHOST    Received =~ /LOCALHOST/
header    __SARE_MSGID_SUSP2       MESSAGEID =~ /\<[A-Z]{5,15}\-\d{10,25}\@[a-z]+\>/
meta      SARE_MSGID_SUSP2         __SARE_MSGID_SUSP2 && !__SARE_RECV_LOCALHOST && !MSGID_SPAM_ALPHA_NUM
describe  SARE_MSGID_SUSP2         Message-Id is <LETTERS-digits@letters>
score     SARE_MSGID_SUSP2         3.000
#hist     SARE_MSGID_SUSP2         Loren Wilton, LW_BOGUS_MSGID6
#hist     SARE_MSGID_SUSP2         Broadened Aug 2004 by Jesse Houwing, with ham-evading exclude
#V300     SARE_MSGID_SUSP2         strong overlap with MSGID_SPAM_ALPHA_NUM 
#counts   SARE_MSGID_SUSP2         0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#alone    SARE_MSGID_SUSP2         174s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#max      SARE_MSGID_SUSP2         9187s/0h of 115925 corpus (94616s/21309h RM) 05/01/04
#counts   SARE_MSGID_SUSP2         0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_MSGID_SUSP2         6s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_MSGID_SUSP2         0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_MSGID_SUSP2         187s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_MSGID_SUSP2         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MSGID_SUSP2         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Received Header Rules
########  ######################   ##################################################

header    SARE_HELO_AOLID          Received =~ /helo=aol\.com ident=/
describe  SARE_HELO_AOLID          Spam passed through apparent spammer relay
score     SARE_HELO_AOLID          0.611
#counts   SARE_HELO_AOLID          0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_HELO_AOLID          10s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
#counts   SARE_HELO_AOLID          0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_HELO_AOLID          0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_HELO_AOLID          0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HELO_AOLID          0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HELO_MAILUSER       Received =~ /helo=MailUser\)/i
describe  SARE_HELO_MAILUSER       Received header has possible spamsign
score     SARE_HELO_MAILUSER       1.111
#stype    SARE_HELO_MAILUSER       spamp
#hist     SARE_HELO_MAILUSER       Created by Bob Menschel May 31 2004
#counts   SARE_HELO_MAILUSER       0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_HELO_MAILUSER       12s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
#counts   SARE_HELO_MAILUSER       0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_HELO_MAILUSER       0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_HELO_MAILUSER       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HELO_MAILUSER       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_ADDR2          Received =~ /^from \[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\n/
describe  SARE_RECV_ADDR2          Received header missing a FQDN, IP only.
score     SARE_RECV_ADDR2          0.100
#counts   SARE_RECV_ADDR2          0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
#counts   SARE_RECV_ADDR2          0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_ADDR2          0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_ADDR2          0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_ADDR3          Received =~ /^from \(.?\[.?\].?\)\b/
describe  SARE_RECV_ADDR3          Received header contains an empty Recieved IP.
score     SARE_RECV_ADDR3          0.100
#counts   SARE_RECV_ADDR3          0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
#counts   SARE_RECV_ADDR3          0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_ADDR3          0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_ADDR3          0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_ADDR4          Received =~ /^from unknown \(\w+ \w+\)\b/
describe  SARE_RECV_ADDR4          Received contains unknown FQDN with possible HELO.
score     SARE_RECV_ADDR4          0.100
#counts   SARE_RECV_ADDR4          0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
#counts   SARE_RECV_ADDR4          0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_ADDR4          0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_ADDR4          0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __SARE_RECV_CHAR_DASHS   Received =~ /---/
header    __SARE_RECV_CHAR_DOTS    Received =~ /\.\./
meta      SARE_RECV_CHAR_DSHDT     __SARE_RECV_CHAR_DASHS && __SARE_RECV_CHAR_DOTS
describe  SARE_RECV_CHAR_DSHDT     Strange dashes and dots in received line
score     SARE_RECV_CHAR_DSHDT     0.500
#counts   SARE_RECV_CHAR_DSHDT     0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_RECV_CHAR_DSHDT     7s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
#counts   SARE_RECV_CHAR_DSHDT     0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_RECV_CHAR_DSHDT     2s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_RECV_CHAR_DSHDT     0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_CHAR_DSHDT     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_CHAR_DSHDT     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_ESMTP          Received =~ /^from \(?:unknown|\d+\.\d+\.\d+\.\d+\) \(\s+\) by \s+ with esmtp; /
describe  SARE_RECV_ESMTP          Received header has forged lowercase 'esmtp' relay
score     SARE_RECV_ESMTP          0.100
#counts   SARE_RECV_ESMTP          0s/0h of 89541 corpus (67467s/22074h RM) 05/28/04
#counts   SARE_RECV_ESMTP          0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_ESMTP          0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_ESMTP          0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_LOCALHOST      Received =~ /localhosts\.txt/i
describe  SARE_RECV_LOCALHOST      fingerprint
score     SARE_RECV_LOCALHOST      1.111
#stype    SARE_RECV_LOCALHOST      spamp
#hist     SARE_RECV_LOCALHOST      Alex Broens, June 2005
#counts   SARE_RECV_LOCALHOST      0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_RECV_LOCALHOST      77s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
#counts   SARE_RECV_LOCALHOST      0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_RECV_LOCALHOST      0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_RANDOM         Received =~ /helo[ =].{1,30}<rnddg/i
describe  SARE_RECV_RANDOM         Spam contains random string in received header
score     SARE_RECV_RANDOM         4.000
#stype    SARE_RECV_RANDOM         spamggg
#hist     SARE_RECV_RANDOM         Created by Bob Menschel Nov 02 2004
#counts   SARE_RECV_RANDOM         0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_RECV_RANDOM         80s/0h of 196708 corpus (96197s/100511h RM) 02/21/05
#counts   SARE_RECV_RANDOM         0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_RANDOM         0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_RECV_RANDOM         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_RANDOM         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_RND_DATE       Received =~ /RND_DATE/i
describe  SARE_RECV_RND_DATE       Spam passed through iswest.net relay
score     SARE_RECV_RND_DATE       1.666  
#stype    SARE_RECV_RND_DATE       spamg
#counts   SARE_RECV_RND_DATE       0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_RECV_RND_DATE       9s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
#counts   SARE_RECV_RND_DATE       0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
#counts   SARE_RECV_RND_DATE       0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
#max      SARE_RECV_RND_DATE       1s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_RECV_RND_DATE       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_RND_DATE       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_RND_NUMBER     Received =~ /RND_NUMBER/i
describe  SARE_RECV_RND_NUMBER     Spam passed through iswest.net relay
score     SARE_RECV_RND_NUMBER     1.666  
#stype    SARE_RECV_RND_NUMBER     spamg
#counts   SARE_RECV_RND_NUMBER     0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_RECV_RND_NUMBER     2s/0h of 120459 corpus (71363s/49096h RM) 02/12/05
#counts   SARE_RECV_RND_NUMBER     0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
#counts   SARE_RECV_RND_NUMBER     0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
#counts   SARE_RECV_RND_NUMBER     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_RND_NUMBER     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_SUSP_2         Received =~ /from\s+[A-Z0-9]+\s+\(\[10\.2\.202\.25\]\)\s+by\s+[A-Z0-9]+\.[a-z]+/
describe  SARE_RECV_SUSP_2         Spammer sign in headers
score     SARE_RECV_SUSP_2         1.666
#hist     SARE_RECV_SUSP_2         LW_RATWARE1
#counts   SARE_RECV_SUSP_2         0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_RECV_SUSP_2         69s/0h of 114271 corpus (81068s/33203h RM) 01/15/05
#counts   SARE_RECV_SUSP_2         31s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#max      SARE_RECV_SUSP_2         124s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_RECV_SUSP_2         0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_RECV_SUSP_2         1s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_SUSP_2         0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
#max      SARE_RECV_SUSP_2         8s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_SUSP_2         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_TRADVALUES     Received =~ /\btraditionalvalues\.org/i
describe  SARE_RECV_TRADVALUES     From or passed through spammer/unreliable domain
score     SARE_RECV_TRADVALUES     3.333  
#stype    SARE_RECV_TRADVALUES     spamgg
#hist     SARE_RECV_TRADVALUES     RM_hr_tradvalues
#counts   SARE_RECV_TRADVALUES     0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_RECV_TRADVALUES     97s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
#counts   SARE_RECV_TRADVALUES     0s/0h of 18651 corpus (16120s/2531h MY) 08/29/04
#counts   SARE_RECV_TRADVALUES     0s/0h of 38751 corpus (15270s/23481h JH-SA3.0rc1) 08/30/04
#counts   SARE_RECV_TRADVALUES     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_TRADVALUES     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_VIPLIST        Received =~ /\b(?:viplist\.us|\[216.74.127.234\])/
describe  SARE_RECV_VIPLIST        Email comes from known spammer system 
score     SARE_RECV_VIPLIST        4.000  
#stype    SARE_RECV_VIPLIST        spamggg
#hist     SARE_RECV_VIPLIST        Created by Bob Menschel Sep 29 2004
#counts   SARE_RECV_VIPLIST        0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_RECV_VIPLIST        255s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_RECV_VIPLIST        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_VIPLIST        0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_RECV_VIPLIST        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_VIPLIST        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_WITH_X2        Received =~ / with with /
describe  SARE_RECV_WITH_X2        Spam identified by typo in received header
score     SARE_RECV_WITH_X2        1.666
#stype    SARE_RECV_WITH_X2        spamp 
#counts   SARE_RECV_WITH_X2        0s/0h of 56796 corpus (32203s/24593h RM) 07/25/04
#max      SARE_RECV_WITH_X2        341s/0h of 100795 corpus (82099s/18696h) 02/16/04
#counts   SARE_RECV_WITH_X2        0s/1h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_WITH_X2        0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_RECV_WITH_X2        4s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_WITH_X2        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_WITH_X2        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_XACTRIX        Received =~ /\b(?:accutra|xactrix)\.com/i
describe  SARE_RECV_XACTRIX        From/through probable spammer system 
score     SARE_RECV_XACTRIX        2.500  
#stype    SARE_RECV_XACTRIX        spamg
#hist     SARE_RECV_XACTRIX        Created by Bob Menschel Sep 03 2004
#counts   SARE_RECV_XACTRIX        0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
#max      SARE_RECV_XACTRIX        11s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_RECV_XACTRIX        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_XACTRIX        0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_RECV_XACTRIX        21s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_XACTRIX        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_XACTRIX        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Received Header IP Address Rules
########  ######################   ##################################################

header    SARE_RECV_IP_004078      Received =~ /\[4\.78\.193\.\d{1,3}\]/
describe  SARE_RECV_IP_004078      Spam passed through possible spammer relay
score     SARE_RECV_IP_004078      1.666 
#hist     SARE_RECV_IP_004078      Created by Bob Menschel Feb 5 2005 from Spam-L information
#note     SARE_RECV_IP_004078      CWIE, LLC
#counts   SARE_RECV_IP_004078      0s/0h of 95095 corpus (59680s/35415h RM) 02/05/05
#counts   SARE_RECV_IP_004078      0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
#counts   SARE_RECV_IP_004078      0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_RECV_IP_004078      397s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_004078      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_004078      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_038112147   Received =~ /\[38\.112\.147\.\d{1,3}\]/
describe  SARE_RECV_IP_038112147   Spam passed through possible spammer relay
score     SARE_RECV_IP_038112147   1.111
#stype    SARE_RECV_IP_038112147   spamp
#hist     SARE_RECV_IP_038112147   Created by Bob Menschel, Feb 19 2005, from Spam-L posting
#counts   SARE_RECV_IP_038112147   0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_RECV_IP_038112147   66s/0h of 283497 corpus (129933s/153564h RM) 03/08/05
#counts   SARE_RECV_IP_038112147   0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
#counts   SARE_RECV_IP_038112147   0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_RECV_IP_038112147   3s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_RECV_IP_038112147   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_038112147   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_062023      Received =~ /\[62\.23\.133\.(?:19[2-9]|2\d{2})\]/
describe  SARE_RECV_IP_062023      Passed through possible spammer relay or source
score     SARE_RECV_IP_062023      1.111
#stype    SARE_RECV_IP_062023      spamp
#hist     SARE_RECV_IP_062023      Created by Bob Menschel Feb 10 2005 from Spam-L info
#note     SARE_RECV_IP_062023      E-Mail-Vision
#counts   SARE_RECV_IP_062023      0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_RECV_IP_062023      22s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_RECV_IP_062023      0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_RECV_IP_062023      0s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_RECV_IP_062023      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_062023      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_064069032   Received =~ /\[64\.69\.32\.\d{1,3}\]/
describe  SARE_RECV_IP_064069032   Spam passed through possible spammer relay
score     SARE_RECV_IP_064069032   1.111  
#stype    SARE_RECV_IP_064069032   spamp 
#hist     SARE_RECV_IP_064069032   Created by Bob Menschel Aug 07 2005
#counts   SARE_RECV_IP_064069032   0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_RECV_IP_064069032   13s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_064069032   0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_RECV_IP_064069032   0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_064095      Received =~ /\[64\.95\.199\.\d{1,3}\]/
describe  SARE_RECV_IP_064095      Spam passed through probable spammer relay 
score     SARE_RECV_IP_064095      1.666 
#stype    SARE_RECV_IP_064095      spamg
#hist     SARE_RECV_IP_064095      Created by Bob Menschel Apr 17 2004
#counts   SARE_RECV_IP_064095      0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_RECV_IP_064095      3s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_RECV_IP_064095      0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_RECV_IP_064095      22s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_IP_064095      0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_RECV_IP_064095      2s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_IP_064095      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_064095      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_064192082   received =~ /\[64\.192\.8[23]\.\d{1,3}\]/
describe  SARE_RECV_IP_064192082   Spam passed through possible spammer relay
score     SARE_RECV_IP_064192082   1.111
#stype    SARE_RECV_IP_064192082   spamp
#hist     SARE_RECV_IP_064192082   Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L
#counts   SARE_RECV_IP_064192082   0s/0h of 98352 corpus (59690s/38662h RM) 01/29/05
#counts   SARE_RECV_IP_064192082   0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_064192082   0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_RECV_IP_064192082   39s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_064192082   0s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_RECV_IP_064192082   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_064192191   Received =~ /\[64\.192\.191\.\d{1,3}\]/
describe  SARE_RECV_IP_064192191   Passed through possible spammer relay or source
score     SARE_RECV_IP_064192191   1.111 
#stype    SARE_RECV_IP_064192191   spamp
#hist     SARE_RECV_IP_064192191   Created by Bob Menschel Jan 14 2005, info thanks to Paul Howarth, Dec 14 2004
#note     SARE_RECV_IP_064192191   WCG.NET, On The Net, Inc., onthenethosting.us
#counts   SARE_RECV_IP_064192191   0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
#max      SARE_RECV_IP_064192191   31s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_RECV_IP_064192191   0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_064192191   0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_RECV_IP_064192191   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_064192191   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_065205157   received =~ /\[65\.205\.157\.(?:19[2-9]|2[01]\d|22[0-3])\]/
describe  SARE_RECV_IP_065205157   Spam passed through possible spammer relay
score     SARE_RECV_IP_065205157   1.111
#stype    SARE_RECV_IP_065205157   spamp
#hist     SARE_RECV_IP_065205157   Created by Bob Menschel Jan 29 2005 from info supplied via Spam-L
#counts   SARE_RECV_IP_065205157   0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_RECV_IP_065205157   7s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_RECV_IP_065205157   0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_065205157   0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
#max      SARE_RECV_IP_065205157   67s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_065205157   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_065205157   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_066063      Received =~ /\[66\.63\.178\.\d{1,3}\]/
describe  SARE_RECV_IP_066063      Passed through possible spammer relay or source
score     SARE_RECV_IP_066063      1.111
#stype    SARE_RECV_IP_066063      spamp
#hist     SARE_RECV_IP_066063      Created by Bob Menschel Feb 10 2005 from Spam-L info
#counts   SARE_RECV_IP_066063      0s/0h of 118836 corpus (71083s/47753h RM) 02/10/05
#counts   SARE_RECV_IP_066063      0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_RECV_IP_066063      0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_RECV_IP_066063      21s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_066063      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_066063      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_066114a     Received =~ /\[66\.114\.217\.\d{1,3}\]/
describe  SARE_RECV_IP_066114a     Spam passed through possible spammer relay
score     SARE_RECV_IP_066114a     1.111  
#stype    SARE_RECV_IP_066114a     spamp 
#hist     SARE_RECV_IP_066114a     Created by Bob Menschel Feb 5 2005 from Spam-L info
#note     SARE_RECV_IP_066114a     SW FLA Hosting
#counts   SARE_RECV_IP_066114a     0s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
#max      SARE_RECV_IP_066114a     27s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_RECV_IP_066114a     0s/0h of 54840 corpus (17664s/37176h JH-3.01) 03/13/05
#counts   SARE_RECV_IP_066114a     0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_RECV_IP_066114a     13s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_RECV_IP_066114a     0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_066114a     0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_066159017   Received =~ /\[66\.159\.17\.8[4-7]\]/
describe  SARE_RECV_IP_066159017   Spam passed through possible spammer relay
score     SARE_RECV_IP_066159017   1.666  
#hist     SARE_RECV_IP_066159017   Created by Bob Menschel Aug 07 2005
#counts   SARE_RECV_IP_066159017   0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_RECV_IP_066159017   219s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_RECV_IP_066159017   0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_RECV_IP_066159017   0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_RECV_IP_066248154   Received =~ /\[66\.248\.154\.\d{1,3}\]/
describe  SARE_RECV_IP_066248154   Spam passed through possible spammer relay
score     SARE_RECV_IP_066248154   1.111
#stype    SARE_RECV_IP_066248154   spamp 
#hist     SARE_RECV_IP_066248154   Created by Bob Menschel May 14 2005
#note     SARE_RECV_IP_066248154   Advanced Dedicated Database Servers LLC
#counts   SARE_RECV_IP_066248154   0s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
#max      SARE_RECV_IP_066248154   8s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#counts   SARE_RECV_IP_066248154   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_066248154   0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
#max      SARE_RECV_IP_066248154   17s/0h of 47809 corpus (43224s/4585h MY) 07/27/05

header    SARE_RECV_IP_069060122   Received =~ /\[69\.60\.122\.\d{1,3}\]/
describe  SARE_RECV_IP_069060122   Spam passed through possible spammer relay
score     SARE_RECV_IP_069060122   1.111  
#stype    SARE_RECV_IP_069060122   spamp 
#hist     SARE_RECV_IP_069060122   Created by Bob Menschel May 14 2005
#counts   SARE_RECV_IP_069060122   0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#counts   SARE_RECV_IP_069060122   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_069060122   0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_RECV_IP_069060122   3s/0h of 47809 corpus (43224s/4585h MY) 07/27/05

header    SARE_RECV_IP_070096177   Received =~ /\[70\.96\.177\.\d{1,3}\]/
describe  SARE_RECV_IP_070096177   Spam passed through possible spammer relay
score     SARE_RECV_IP_070096177   1.666  
#stype    SARE_RECV_IP_070096177   spamp 
#hist     SARE_RECV_IP_070096177   Created by Bob Menschel May 14 2005
#note     SARE_RECV_IP_070096177   Broadlogix
#counts   SARE_RECV_IP_070096177   0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_RECV_IP_070096177   78s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
#counts   SARE_RECV_IP_070096177   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_070096177   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_RECV_IP_070096177   0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_RECV_IP_070096177   48s/0h of 47283 corpus (43206s/4077h MY) 06/05/05

header    SARE_RECV_IP_081019      Received =~ /\[81\.19\.24[0-3]\.\d{1,3}\]/
describe  SARE_RECV_IP_081019      Passed through possible spammer relay or source
score     SARE_RECV_IP_081019      0.678
#hist     SARE_RECV_IP_081019      Created by Bob Menschel Jul 27 2004
#counts   SARE_RECV_IP_081019      0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_RECV_IP_081019      15s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_RECV_IP_081019      3s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_RECV_IP_081019      0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#max      SARE_RECV_IP_081019      4s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_RECV_IP_081019      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_081019      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_081095      Received =~ /\[81\.95\.(?:3[2-9]|4[0-7])\.\d{1,3}\]/
describe  SARE_RECV_IP_081095      Spam passed through possible spammer relay 
score     SARE_RECV_IP_081095      0.555  
#stype    SARE_RECV_IP_081095      spamp 
#hist     SARE_RECV_IP_081095      Created by Bob Menschel June 12 2004
#counts   SARE_RECV_IP_081095      0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_RECV_IP_081095      3s/0h of 66087 corpus (40127s/25960h RM) 09/11/04
#counts   SARE_RECV_IP_081095      0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_RECV_IP_081095      1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_IP_081095      0s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_RECV_IP_081095      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_081095      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_200203050   Received =~ /\[200\.203\.50\.160\]/
describe  SARE_RECV_IP_200203050   Spam passed through possible spammer relay
score     SARE_RECV_IP_200203050   0.555
#stype    SARE_RECV_IP_200203050   spamp
#hist     SARE_RECV_IP_200203050   Created by Bob Menschel, Feb 19 2005, from Spam-L posting
#counts   SARE_RECV_IP_200203050   0s/0h of 174366 corpus (98964s/75402h RM) 02/18/05
#counts   SARE_RECV_IP_200203050   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_200203050   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_202064      Received =~ /\[202\.22\.(?:24[89]|25[01])\.\d{1,3}\]/
describe  SARE_RECV_IP_202064      Spam passed through possible spammer relay
score     SARE_RECV_IP_202064      1.111
#stype    SARE_RECV_IP_202064      spamp 
#hist     SARE_RECV_IP_202064      Created by Bob Menschel Apr 25 2004
#counts   SARE_RECV_IP_202064      0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_RECV_IP_202064      12s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
#counts   SARE_RECV_IP_202064      0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_IP_202064      0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_RECV_IP_202064      4s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_RECV_IP_202064      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_202064      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_206248152   Received =~ /\[206\.248\.153\.\d{1,3}\]/
describe  SARE_RECV_IP_206248152   Spam passed through possible spammer relay
score     SARE_RECV_IP_206248152   0.617
#ham      SARE_RECV_IP_206248152   confirmed (1) 
#hist     SARE_RECV_IP_206248152   Created by Bob Menschel May 14 2005
#note     SARE_RECV_IP_206248152   3zCanada-GTA1
#counts   SARE_RECV_IP_206248152   0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_RECV_IP_206248152   19s/0h of 298277 corpus (136400s/161877h RM) 06/06/05
#counts   SARE_RECV_IP_206248152   0s/0h of 22942 corpus (17234s/5708h MY) 05/14/06
#max      SARE_RECV_IP_206248152   2s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_RECV_IP_206248152   0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

header    SARE_RECV_IP_207182      Received =~ /\[207\.182\.146\.(?:19[2-9]|2\d{2})\]/
describe  SARE_RECV_IP_207182      Passed through possible spammer relay or source
score     SARE_RECV_IP_207182      1.666
#stype    SARE_RECV_IP_207182      spamp
#hist     SARE_RECV_IP_207182      Created by Bob Menschel Feb 10 2005 from Spam-L info
#counts   SARE_RECV_IP_207182      0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_RECV_IP_207182      26s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_RECV_IP_207182      71s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_RECV_IP_207182      0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_RECV_IP_207182      57s/0h of 27758 corpus (24297s/3461h MY) 02/27/05
#counts   SARE_RECV_IP_207182      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_207182      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_208048182   Received =~ /\[208.48\.182\.\d{1,3}\]/
describe  SARE_RECV_IP_208048182   Spam passed through possible spammer relay
score     SARE_RECV_IP_208048182   1.111  
#stype    SARE_RECV_IP_208048182   spamp 
#hist     SARE_RECV_IP_208048182   Created by Bob Menschel May 14 2005
#counts   SARE_RECV_IP_208048182   0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#counts   SARE_RECV_IP_208048182   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_208048182   0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_RECV_IP_208048182   43s/0h of 45478 corpus (41529s/3949h MY) 05/16/05

header    SARE_RECV_IP_211049      Received =~ /\[211\.49\.185\.\d{1,3}\]/
describe  SARE_RECV_IP_211049      Spam passed through possible spammer relay
score     SARE_RECV_IP_211049      0.555
#stype    SARE_RECV_IP_211049      spamp
#counts   SARE_RECV_IP_211049      0s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#max      SARE_RECV_IP_211049      3s/0h of 97268 corpus (79437s/17831h RM) 01/24/04
#counts   SARE_RECV_IP_211049      0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_IP_211049      0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_RECV_IP_211049      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05

header    SARE_RECV_IP_212164      Received =~ /\[212\.164\.1(?:6[4-9]|[78]\d|9[01])\.\d{1,3}\]/
describe  SARE_RECV_IP_212164      Spam passed through possible spammer relay 
score     SARE_RECV_IP_212164      0.555
#stype    SARE_RECV_IP_212164      spamp
#hist     SARE_RECV_IP_212164      Created by Bob Menschel May 31 2004
#counts   SARE_RECV_IP_212164      0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_RECV_IP_212164      1s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_RECV_IP_212164      0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_RECV_IP_212164      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_212164      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_RECV_IP_216055133   Received =~ /\[216\.55\.133\.\d{1,3}\]/
describe  SARE_RECV_IP_216055133   Spam passed through possible spammer relay
score     SARE_RECV_IP_216055133   1.111
#stype    SARE_RECV_IP_216055133   spamp 
#hist     SARE_RECV_IP_216055133   Created by Bob Menschel May 14 2005
#counts   SARE_RECV_IP_216055133   0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#counts   SARE_RECV_IP_216055133   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_RECV_IP_216055133   0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06
#max      SARE_RECV_IP_216055133   1s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_RECV_IP_216055133   0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_RECV_IP_216055133   15s/0h of 45478 corpus (41529s/3949h MY) 05/16/05

#####################################################################################
#         SARE Reply-To Header Rules 
########  ######################   ##################################################

header    SARE_REPLY_XACTRIX       Reply-To =~ /\b(?:accutra|xactrix)\.com/i
describe  SARE_REPLY_XACTRIX       Reply-To email addr to spammer
score     SARE_REPLY_XACTRIX       1.666
#stype    SARE_REPLY_XACTRIX       spamg
#hist     SARE_REPLY_XACTRIX       Created by Bob Menschel Sep 03 2004
#counts   SARE_REPLY_XACTRIX       0s/0h of 280812 corpus (109490s/171322h RM) 05/05/05
#max      SARE_REPLY_XACTRIX       11s/0h of 115509 corpus (81073s/34436h RM) 01/16/05
#counts   SARE_REPLY_XACTRIX       0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_REPLY_XACTRIX       0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_REPLY_XACTRIX       21s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_REPLY_XACTRIX       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_REPLY_XACTRIX       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE User-Agent rules
########  ######################   ##################################################

#####################################################################################
#         SARE To/Cc Destination rules
########  ######################   ##################################################

header    SARE_TOCC_MAILDOMN       ToCc =~ /(?:client|recipient)\@(?:smtpdomain|maildomain)\.(?:com|net)/i
describe  SARE_TOCC_MAILDOMN       Destination identifies this as a virus bounce
score     SARE_TOCC_MAILDOMN       1.666
#stype    SARE_TOCC_MAILDOMN       vbg
#hist     SARE_TOCC_MAILDOMN       Created by Bob Menschel Mar 28 2004
#counts   SARE_TOCC_MAILDOMN       0s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#max      SARE_TOCC_MAILDOMN       5s/0h of 60630 corpus (35509s/25121h RM) 08/11/04
#counts   SARE_TOCC_MAILDOMN       1s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_TOCC_MAILDOMN       0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_TOCC_MAILDOMN       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_TOCC_MAILDOMN       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_TOCC_SPAMWORD0      ToCc =~ /(?:alter-ego|Mailing-Boxes|ReMailer|User-info)\@/i
describe  SARE_TOCC_SPAMWORD0      Addressed to bogus email address
score     SARE_TOCC_SPAMWORD0      0.444
#hist     SARE_TOCC_SPAMWORD0      Removed Mailinglist May 14 2005
#counts   SARE_TOCC_SPAMWORD0      0s/0h of 274235 corpus (109066s/165169h RM) 05/15/05
#max      SARE_TOCC_SPAMWORD0      2s/3h of 196688 corpus (96191s/100497h RM) 02/21/05
#counts   SARE_TOCC_SPAMWORD0      0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_TOCC_SPAMWORD0      0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#max      SARE_TOCC_SPAMWORD0      1s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_TOCC_SPAMWORD0      0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_TOCC_SPAMWORD0      0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE X-Mailer Rules
########  ######################   ##################################################

header    SARE_XMAIL_BULK2         X-Mailer =~ /(?:Mail2000|Simple Mail Solutions)/i
describe  SARE_XMAIL_BULK2         Uses bulk mailer used by spammers
score     SARE_XMAIL_BULK2         0.100
#hist     SARE_XMAIL_BULK2         Bob Menschel: PSS Bulk Mailer, Calypso; removed OSM Client Feb 7 2005
#counts   SARE_XMAIL_BULK2         0s/0h of 85084 corpus (62489s/22595h RM) 06/08/04
#counts   SARE_XMAIL_BULK2         0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_XMAIL_BULK2         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_XMAIL_BULK2         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_XMAIL_BULK4         X-Mailer =~ /(?:Master-SMTP)/i
describe  SARE_XMAIL_BULK4         Uses bulk mailer name forged by viruses
score     SARE_XMAIL_BULK4         0.277
#stype    SARE_XMAIL_BULK4         vbp
#hist     SARE_XMAIL_BULK4         Bob Menschel: Master-SMTP
#counts   SARE_XMAIL_BULK4         0s/0h of 114241 corpus (81067s/33174h RM) 01/15/05
#max      SARE_XMAIL_BULK4         5s/0h of 56804 corpus (32211s/24593h RM) 07/25/04
#counts   SARE_XMAIL_BULK4         0s/0h of 32586 corpus (9341s/23245h JH) 06/10/04
#counts   SARE_XMAIL_BULK4         0s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_XMAIL_BULK4         0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_XMAIL_BULK4         0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_XMAIL_DIRUNIV       X-Mailer =~ /Direct Universe/i
describe  SARE_XMAIL_DIRUNIV       Apparently uses spam/bulk mailer
score     SARE_XMAIL_DIRUNIV       1.111
#stype    SARE_XMAIL_DIRUNIV       spamp
#hist     SARE_XMAIL_DIRUNIV       Bob Menschel, May 14 2005
#counts   SARE_XMAIL_DIRUNIV       0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_XMAIL_DIRUNIV       48s/0h of 327690 corpus (159737s/167953h RM) 07/27/05
#counts   SARE_XMAIL_DIRUNIV       0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_XMAIL_DIRUNIV       0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_XMAIL_DIRUNIV       0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_XMAIL_DIRUNIV       0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

header    SARE_XMAIL_GDI           X-Mailer=~/GDI Mailer/
describe  SARE_XMAIL_GDI           Ratware mailer
score     SARE_XMAIL_GDI           0.100
#hist     SARE_XMAIL_GDI           Bob Menschel, Feb 25 2005
#counts   SARE_XMAIL_GDI           0s/0h of 273595 corpus (108821s/164774h RM) 05/13/05
#max      SARE_XMAIL_GDI           1s/0h of 238550 corpus (112525s/126025h RM) 02/28/05
#counts   SARE_XMAIL_GDI           0s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_XMAIL_GDI           0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_XMAIL_GDI           0s/0h of 42275 corpus (34158s/8117h FVGT) 05/15/06
#max      SARE_XMAIL_GDI           1s/0h of 6924 corpus (1403s/5521h ft) 07/27/05

header    SARE_XMAIL_INTERMED      X-Mailer =~ /\bIntermedia mail\b/i
describe  SARE_XMAIL_INTERMED      possible spamware
score     SARE_XMAIL_INTERMED      0.850  
#hist     SARE_XMAIL_INTERMED      Alex Broens, June 30 2005
#counts   SARE_XMAIL_INTERMED      0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_XMAIL_INTERMED      51s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_XMAIL_INTERMED      0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
#max      SARE_XMAIL_INTERMED      1s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_XMAIL_INTERMED      0s/0h of 15713 corpus (7767s/7946h FT) 05/14/06
#max      SARE_XMAIL_INTERMED      1s/0h of 6905 corpus (1401s/5504h ft) 07/24/05

header    SARE_XMAIL_LEO           X-Mailer =~ /^[A-Z][a-x]+\s[a-z]{2}\s\d\.\d\d\s*$/      # no /i
score     SARE_XMAIL_LEO           2.333
describe  SARE_XMAIL_LEO           Spamsign in x-mailer header
#hist     SARE_XMAIL_LEO           Loren Wilton, Sept 07, 2005
#counts   SARE_XMAIL_LEO           0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_XMAIL_LEO           2625s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_XMAIL_LEO           0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_XMAIL_LEO           0s/0h of 7500 corpus (1767s/5733h ft) 09/18/05

header    SARE_XMAIL_PHPBulkEmai   X-Mailer =~ /PHPBulkEmailer/i
describe  SARE_XMAIL_PHPBulkEmai   Apparently uses spam/bulk mailer
score     SARE_XMAIL_PHPBulkEmai   1.111
#stype    SARE_XMAIL_PHPBulkEmai   spamp
#hist     SARE_XMAIL_PHPBulkEmai   Bob Menschel, Apr 11, 2005, from suggestion by Loren Wilton
#counts   SARE_XMAIL_PHPBulkEmai   0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_XMAIL_PHPBulkEmai   45s/0h of 275081 corpus (134226s/140855h RM) 05/30/05
#counts   SARE_XMAIL_PHPBulkEmai   0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
#max      SARE_XMAIL_PHPBulkEmai   1s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_XMAIL_PHPBulkEmai   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_XMAIL_PHPBulkEmai   0s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_XMAIL_PHPBulkEmai   1s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

#####################################################################################
#         SARE Rules which examine multiple header types
########  ######################   ##################################################

#####################################################################################
#         SARE Miscellaneous and X-Header header rules 
########  ######################   ##################################################

header    SARE_HEAD_CONT_RNDCONT   Content-Transfer-Encoding =~ /CONTENT_ENCODING/i
describe  SARE_HEAD_CONT_RNDCONT   Spam passed through iswest.net relay
score     SARE_HEAD_CONT_RNDCONT   1.166  
#counts   SARE_HEAD_CONT_RNDCONT   0s/0h of 95112 corpus (59679s/35433h RM) 01/31/05
#counts   SARE_HEAD_CONT_RNDCONT   0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
#counts   SARE_HEAD_CONT_RNDCONT   0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
#counts   SARE_HEAD_CONT_RNDCONT   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_CONT_RNDCONT   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_DATE_RNDDATE   Date =~ /RND/i
describe  SARE_HEAD_DATE_RNDDATE   Spam passed through iswest.net relay
score     SARE_HEAD_DATE_RNDDATE   1.666  
#stype    SARE_HEAD_DATE_RNDDATE   spamg
#counts   SARE_HEAD_DATE_RNDDATE   0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_HEAD_DATE_RNDDATE   9s/0h of 268479 corpus (127479s/141000h RM) 06/17/05
#counts   SARE_HEAD_DATE_RNDDATE   0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
#counts   SARE_HEAD_DATE_RNDDATE   0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
#counts   SARE_HEAD_DATE_RNDDATE   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_DATE_RNDDATE   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_THRD_ALNUM     Thread-Index =~ /ALNUM/
describe  SARE_HEAD_THRD_ALNUM     Spam fingerprint in thread index
score     SARE_HEAD_THRD_ALNUM     0.839
#hist     SARE_HEAD_THRD_ALNUM     Alex Broens, July 27 2005
#counts   SARE_HEAD_THRD_ALNUM     0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_HEAD_THRD_ALNUM     51s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#counts   SARE_HEAD_THRD_ALNUM     0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

header    SARE_HEAD_TOCC_DEFHNDL   All =~ /TO_CC_DEFAULT_HANDLER/i
describe  SARE_HEAD_TOCC_DEFHNDL   Spam passed through iswest.net relay
score     SARE_HEAD_TOCC_DEFHNDL   1.166  
#counts   SARE_HEAD_TOCC_DEFHNDL   0s/0h of 95112 corpus (59679s/35433h RM) 01/31/05
#counts   SARE_HEAD_TOCC_DEFHNDL   0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
#counts   SARE_HEAD_TOCC_DEFHNDL   0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
#counts   SARE_HEAD_TOCC_DEFHNDL   0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_TOCC_DEFHNDL   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_XAUTH_WARN2    X-Authentication-Warning =~ /\b[A-Z]{2,5}[a-z]{5,7}[0-9]{2}\b/
describe  SARE_HEAD_XAUTH_WARN2    X-Authentication-Warning: Contains Spam Signature.
score     SARE_HEAD_XAUTH_WARN2    2.500
#stype    SARE_HEAD_XAUTH_WARN2    spamg
#hist     SARE_HEAD_XAUTH_WARN2    Mike Hogsett, Tuesday, May 25, 2004, CSL_X_AUTH_WARN_2
#counts   SARE_HEAD_XAUTH_WARN2    0s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#max      SARE_HEAD_XAUTH_WARN2    46s/0h of 60623 corpus (35501s/25122h RM) 08/11/04
#counts   SARE_HEAD_XAUTH_WARN2    0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#max      SARE_HEAD_XAUTH_WARN2    14s/0h of 38398 corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_HEAD_XAUTH_WARN2    0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#max      SARE_HEAD_XAUTH_WARN2    1s/0h of 17050 corpus (14617s/2433h MY) 08/08/04
#counts   SARE_HEAD_XAUTH_WARN2    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_XAUTH_WARN2    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_XCANIT1        X-CanItPRO-Stream =~ /^sbw\b/
describe  SARE_HEAD_XCANIT1        Message headers used which identify spam
score     SARE_HEAD_XCANIT1        1.111
#stype    SARE_HEAD_XCANIT1        spamp
#hist     SARE_HEAD_XCANIT1        Enhanced from original SARE_HEAD_HDR_XCANITP rule with help from RoaringPenguin
#counts   SARE_HEAD_XCANIT1        0s/0h of 259338 corpus (110116s/149222h RM) 05/16/05
#max      SARE_HEAD_XCANIT1        7s/0h of 68480 corpus (41098s/27382h RM) 09/18/04
#counts   SARE_HEAD_XCANIT1        0s/0h of 18196 corpus (15673s/2523h MY) 08/16/04
#counts   SARE_HEAD_XCANIT1        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_XCANIT1        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_XCANIT1        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    __SARE_HEAD_XCANIT_H     exists:X-CanItPRO-Stream  
header    __SARE_HEAD_XCANIT_S     exists:X-Scanned-By
meta      SARE_HEAD_XCANIT2        __SARE_HEAD_XCANIT_H && !__SARE_HEAD_XCANIT_S
describe  SARE_HEAD_XCANIT2        Incomplete anti-spam headers signifying spam
score     SARE_HEAD_XCANIT2        0.555
#stype    SARE_HEAD_XCANIT2        spamp
#hist     SARE_HEAD_XCANIT2        Created by Bob Menschel Jan 29 2005 from information provided by RoaringPenguin
#counts   SARE_HEAD_XCANIT2        0s/0h of 196688 corpus (96191s/100497h RM) 02/21/05
#max      SARE_HEAD_XCANIT2        2s/0h of 96329 corpus (59684s/36645h RM) 02/04/05
#counts   SARE_HEAD_XCANIT2        0s/0h of 54176 corpus (16997s/37179h JH-3.01) 02/01/05
#counts   SARE_HEAD_XCANIT2        0s/0h of 20489 corpus (17189s/3300h MY) 01/30/05
#counts   SARE_HEAD_XCANIT2        0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_XCANIT2        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_XM4            ALL =~ /\nX-M-.{4}:/          # usually 4:28:12
describe  SARE_HEAD_XM4            Contains spamsign header 
score     SARE_HEAD_XM4            1.111
#stype    SARE_HEAD_XM4            spamp
#hist     SARE_HEAD_XM4            Loren Wilton, June 2005
#counts   SARE_HEAD_XM4            0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_HEAD_XM4            80s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HEAD_XM4            0s/0h of 47809 corpus (43224s/4585h MY) 07/27/05
#counts   SARE_HEAD_XM4            0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

header    SARE_HEAD_XMF_AUTHSNDR   X-Message-flag =~ /Authentic Sender/i
describe  SARE_HEAD_XMF_AUTHSNDR   Headers contains spam sign
score     SARE_HEAD_XMF_AUTHSNDR   1.666
#stype    SARE_HEAD_XMF_AUTHSNDR   spamp
#hist     SARE_HEAD_XMF_AUTHSNDR   Created by Bob Menschel Jan 29 2005 from idea submitted by Alex Broens 
#counts   SARE_HEAD_XMF_AUTHSNDR   0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_HEAD_XMF_AUTHSNDR   726s/0h of 400432 corpus (178148s/222284h RM) 03/31/05
#counts   SARE_HEAD_XMF_AUTHSNDR   67s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_HEAD_XMF_AUTHSNDR   0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_HEAD_XMF_AUTHSNDR   54s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_HEAD_XMF_AUTHSNDR   0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
#max      SARE_HEAD_XMF_AUTHSNDR   89s/0h of 11052 corpus (6614s/4438h CT) 03/10/05
#counts   SARE_HEAD_XMF_AUTHSNDR   0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_HEAD_XPRI_RNDNUM    X-Priority =~ /PRIORITY_NUMBER/i
describe  SARE_HEAD_XPRI_RNDNUM    Spam passed through iswest.net relay
score     SARE_HEAD_XPRI_RNDNUM    1.666  
#stype    SARE_HEAD_XPRI_RNDNUM    spamg
#counts   SARE_HEAD_XPRI_RNDNUM    0s/0h of 95112 corpus (59679s/35433h RM) 01/31/05
#counts   SARE_HEAD_XPRI_RNDNUM    0s/0h of 54072 corpus (16898s/37174h JH-3.01) 02/18/05
#counts   SARE_HEAD_XPRI_RNDNUM    0s/0h of 26184 corpus (22793s/3391h MY) 02/16/05
#counts   SARE_HEAD_XPRI_RNDNUM    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_XPRI_RNDNUM    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

#####################################################################################
#         SARE Rules which identify headers found in email bodies
########  ######################   ##################################################

rawbody   SARE_HEAD_BDY_BOUNCES    /^Bounces_to: .{1,50}\@/
describe  SARE_HEAD_BDY_BOUNCES    Message header suggesting spam in body
score     SARE_HEAD_BDY_BOUNCES    1.666
#note     SARE_HEAD_BDY_BOUNCES    Normally valid header currently very popular in spam. Presence in bounced emails strongly suggests bounced spam
#hist     SARE_HEAD_BDY_BOUNCES    Bob Menschel, Apr 10 2005
#counts   SARE_HEAD_BDY_BOUNCES    0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_HEAD_BDY_BOUNCES    433s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
#counts   SARE_HEAD_BDY_BOUNCES    0s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_HEAD_BDY_BOUNCES    0s/1h of 15713 corpus (7767s/7946h FT) 05/14/06
#max      SARE_HEAD_BDY_BOUNCES    0s/0h of 2500 corpus (531s/1969h ft) 05/17/05
#counts   SARE_HEAD_BDY_BOUNCES    0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05

#####################################################################################
#         SARE Rules which examine multiple header types
########  ######################   ##################################################

header    __SARE_MULT_FROM_MRS     From =~ /"Mrs[\. ][A-Z][a-z]+"/
header    __SARE_MULT_HITHERE      Subject =~ /^(?:HELLO|Hello|Hey|Hi)\w{0,8},?(?:Mrs\.)?/
body      __SARE_MULT_PROFILE      /(?:on-?line profile|profile (?:is )?on-?line)/
meta      SARE_MULT_SEXCLUB        __SARE_MULT_HITHERE && (__SARE_MULT_PROFILE || __SARE_MULT_FROM_MRS)
describe  SARE_MULT_SEXCLUB        Adult invitation spam
score     SARE_MULT_SEXCLUB        1.666
#hist     SARE_MULT_SEXCLUB        Loren Wilton, Feb 22 2005
#counts   SARE_MULT_SEXCLUB        0s/0h of 173032 corpus (99056s/73976h RM) 05/11/06
#max      SARE_MULT_SEXCLUB        114s/0h of 283497 corpus (129933s/153564h RM) 03/08/05
#counts   SARE_MULT_SEXCLUB        8s/0h of 54179 corpus (17002s/37177h JH-3.01) 03/01/05
#counts   SARE_MULT_SEXCLUB        0s/0h of 22950 corpus (17237s/5713h MY) 05/14/06
#max      SARE_MULT_SEXCLUB        59s/0h of 45478 corpus (41529s/3949h MY) 05/16/05
#counts   SARE_MULT_SEXCLUB        0s/0h of 13303 corpus (7429s/5874h CT) 05/14/06
#max      SARE_MULT_SEXCLUB        22s/0h of 10853 corpus (6391s/4462h CT) 05/16/05
#counts   SARE_MULT_SEXCLUB        0s/0h of 2500 corpus (531s/1969h ft) 05/17/05

header    SARE_MULT_SUBJ           ALL =~ /\nSubject:.{10,150}\nSubject:.{10,150}\nSubject:/s
score     SARE_MULT_SUBJ           0.777
describe  SARE_MULT_SUBJ           Many subject lines
#hist     SARE_MULT_SUBJ           Loren Wilton, June 2005
#counts   SARE_MULT_SUBJ           0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_MULT_SUBJ           40s/0h of 271461 corpus (129860s/141601h RM) 06/12/05
#counts   SARE_MULT_SUBJ           0s/0h of 5653 corpus (1019s/4634h ft) 06/04/05
#counts   SARE_MULT_SUBJ           0s/0h of 47283 corpus (43206s/4077h MY) 06/05/05
#counts   SARE_MULT_SUBJ           0s/0h of 55848 corpus (18671s/37177h JH-3.01) 06/10/05
#counts   SARE_MULT_SUBJ           0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

# EOF

